Logo
Grounded Ninja
globe Site
About
Pricing
Sign In Get Started

Privacy Policy

Effective Date: November 23, 2025
Last Updated: November 23, 2025

1. Introduction

Welcome to GroundedNinja ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our productivity application and related services (the "Service").

2. Information We Collect

2.1 Information You Provide

  • Account Information: When you create an account, we collect your name, email address, and profile information through Google OAuth authentication or email/password signup.
  • Content: We collect and store the content you create within our app, including notes, tasks, journals, nodes, and other user-generated content.
  • Communications: If you contact us directly, we may receive additional information about you.

2.2 Information We Collect Automatically

  • Usage Data: We collect information about how you use our Service, including features accessed, time spent, and interaction patterns.
  • Device Information: We may collect information about your device, including device type, operating system, and app version.
  • Log Data: Our servers automatically record information when you use our Service, including your IP address, browser type, and timestamps.

2.3 Sensitive Personal Data

GroundedNinja is a "Dojo for the Mind" - a space for deep self-reflection and personal growth. When you use features like Journals, Values exercises, and Cognitive Reframing (CBT), you may choose to record:

  • Health information: Your physical or mental health, emotions, wellbeing
  • Philosophical or religious beliefs: Your values, spiritual practices, life philosophy
  • Psychological data: Thought patterns, cognitive processes, behavioral insights

Under the General Data Protection Regulation (GDPR), this is "special category data" that requires additional protection.

Our Commitment:

  • We only process this data with your explicit consent
  • We remind you before you use features that may contain sensitive data
  • You can withdraw consent at any time and request deletion of your data
  • Your data is never used to train general AI models
  • We do not share this data except as necessary to provide our services (e.g., AI processing via Google AI as described in Section 4.1)

Legal Basis: GDPR Article 9(2)(a) - Explicit Consent

3. How We Use Your Information & Legal Basis

We process your personal data on the following legal bases:

Service Provision (Contract - GDPR Article 6(1)(b))

Processing necessary to provide GroundedNinja's core features, including:

  • AI-powered Sage dialogues
  • Content organization and search
  • Account management

Consent (GDPR Article 9(2)(a))

For processing sensitive data (health information, philosophical beliefs, psychological patterns) that may be present in your journals and reflections. You provide explicit consent during signup and can withdraw at any time.

Legitimate Interest (GDPR Article 6(1)(f))

For automatic features like semantic search embeddings and connection suggestions. We process your data based on our legitimate interest in providing personalized experiences. You can opt-out in Settings → Privacy.

Legal Obligation (GDPR Article 6(1)(c))

To comply with legal requirements, tax obligations, and respond to lawful requests from authorities.

4. How We Share Your Information

We do not sell, trade, or otherwise transfer your personal information to third parties, except in the following circumstances:

4.1 Service Providers

We may share your information with trusted third-party service providers who assist us in operating our Service:

  • Google Cloud Platform: Infrastructure hosting (servers, databases)
  • Google AI (Gemini): AI processing for Sage dialogues, insights, and search
    • Your content is processed but never used to train general AI models
    • Privacy policy: Google AI Terms
  • Stripe: Payment processing (for paid plans)
  • Google OAuth: Authentication services (if you sign in with Google)

4.2 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests from public authorities.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service.

5. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect your personal information.

What We Do to Protect Your Data:

Access Controls

  • Row-Level Security (RLS): Every database query enforces user-level isolation. You can only access your own data.
  • Authentication: OAuth 2.0 (Google) or secure password hashing (bcrypt) for email/password accounts
  • Session Management: Secure, time-limited sessions with automatic expiry

Data Transmission

  • TLS/HTTPS: All data transmitted between your device and our servers is encrypted using industry-standard TLS 1.3
  • Secure APIs: All API endpoints require authentication and use encrypted connections

Infrastructure Security

  • Google Cloud Platform: Our infrastructure is hosted on GCP, which maintains SOC 2 Type II, ISO 27001, and GDPR compliance
  • Database Security: PostgreSQL with Cloud SQL managed service, automatic security updates
  • Regular Backups: Automated daily backups with 30-day retention for disaster recovery

Important Limitations (Transparency):

Encryption at Rest

Your content is stored in readable form, not encrypted at rest. This means:

  • We can technically read your journals, notes, and other content
  • This is necessary for AI processing (Sage dialogues, semantic search, insights)
  • End-to-end encryption would make these core features impossible

Why we're telling you this: We believe in radical transparency. Some services claim "bank-level encryption" while still processing your data with AI. We're honest about the trade-off: powerful AI features require readable content.

Staff Access Policy

Our team members have limited access to user data:

  • Normal operations: Zero access to your content
  • Debugging/support: Access only with your explicit permission or for critical system issues
  • Audit logs: All staff access is logged and monitored

AI Processing Security

  • Your content is sent to Google AI for processing but is never used to train general AI models
  • AI requests are processed in real-time and not permanently stored by the AI provider
  • Google AI has their own security measures and GDPR compliance (see their terms)

Your Responsibility

  • Choose a strong, unique password
  • Keep your login credentials secure
  • Log out from shared devices
  • Report any suspected security issues to security@grounded.ninja

Security Disclaimer

While we implement industry-standard security practices, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you within 72 hours as required by GDPR Article 33.

6. Data Retention

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes outlined in this policy.

Account Data:

You may delete your account at any time through Settings → Account. We will delete your personal information immediately upon request, including:

  • Your account and profile
  • All content (journals, insights, aspirations, chat messages)
  • All AI-generated data (embeddings, connections, suggestions)
  • All session and authentication data
  • All billing records (except as required by law for tax purposes)

Retention Periods:

  • Active accounts: Retained indefinitely while you use the service
  • Deleted accounts: Immediately and permanently deleted (no soft-delete)
  • Billing records: 7 years (UK tax law requirement)
  • Session logs: 30 days after expiry
  • AI request logs: 30 days for debugging purposes

Backups: Database backups are retained for 30 days for disaster recovery. Deleted data is removed from backups within 30 days of deletion.

7. Your Rights

Under GDPR and other privacy laws, you have the following rights regarding your personal information:

  • Access: Request access to your personal information (Settings → Account → Export Data)
  • Correction: Request correction of inaccurate information (edit directly in the app)
  • Deletion: Request deletion of your personal information (Settings → Account → Delete Account)
  • Portability: Request a copy of your data in a portable markdown format (Settings → Account → Export Data)
  • Objection: Object to certain processing of your information (Settings → Privacy)
  • Withdraw Consent: Withdraw consent for sensitive data processing at any time (Settings → Account → Delete Account)
  • Lodge a Complaint: File a complaint with your local data protection authority if you believe we've violated your rights

To exercise these rights, use the in-app settings or contact us at privacy@grounded.ninja.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States and European Union. We ensure appropriate safeguards are in place to protect your information in accordance with GDPR and other applicable data protection laws.

Our service providers (Google Cloud Platform, Google AI) maintain GDPR compliance and use Standard Contractual Clauses (SCCs) for international data transfers.

9. Automated Decision-Making & Profiling

We use artificial intelligence to enhance your experience:

AI Features:

  • Suggest connections between your content
  • Generate personalized insights and next steps
  • Assess content quality for search ranking
  • Provide semantic similarity scoring

No Significant Automated Decisions:

These automated processes do not make decisions that significantly affect you legally or in a similarly significant way. The AI provides suggestions and enhancements, but you remain in full control of your content and decisions.

Your Rights:

  • You can opt-out of automatic AI features in Settings → Privacy
  • You can request human review of any AI-generated suggestion
  • You can delete all AI-generated data at any time

10. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete such information immediately.

11. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. For significant changes, we will also email you at the address associated with your account.

Your continued use of our Service after such changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us at:

Email: privacy@grounded.ninja

Security Issues: security@grounded.ninja

Website: https://grounded.ninja

Address: 4 Cumberland grove, Bristol, BS6 5LD, United Kingdom

This privacy policy is designed to comply with GDPR (EU/UK), CCPA (California), and other applicable privacy laws. We are committed to protecting your privacy and maintaining transparency about our data practices.

GDPR Representative: As we process data of EU residents, our GDPR representative can be reached at the email address above.

© 2025 Grounded Ninja. All rights reserved. Privacy · Terms